4c197614f55315eb5832d46451e00b0157bffa76b6e1b2180104d2552448de8d

Analysis

max time kernel
148s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-05-2022 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

12.0MB
MD5

df6954981e91e7edac214fbacc452a96
SHA1

e826c4fd82563792315895b1fac558cbc75669d3
SHA256

4c197614f55315eb5832d46451e00b0157bffa76b6e1b2180104d2552448de8d
SHA512

c5168e2e77a93c37f29e0263672f24dc818a1d9f1d2b19064585ee30f2db489122b60c7bced2964b6b45358b68672f8589dc1cb9522e0d138c98ede787c48b89

Score

9^/10

bootkit miner persistence vmprotect

Malware Config

Signatures

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

Executes dropped EXE 24 IoCs

Processes:

NVIDIAContainer.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exe

pid	process
860	NVIDIAContainer.exe
1252	lolMiner.exe
820	lolMiner.exe
1392	lolMiner.exe
1600	lolMiner.exe
932	lolMiner.exe
1196	lolMiner.exe
1716	lolMiner.exe
1820	lolMiner.exe
1740	lolMiner.exe
1592	lolMiner.exe
1768	lolMiner.exe
820	lolMiner.exe
2020	lolMiner.exe
1732	lolMiner.exe
1776	lolMiner.exe
1060	lolMiner.exe
864	lolMiner.exe
1948	lolMiner.exe
748	lolMiner.exe
1788	lolMiner.exe
1768	lolMiner.exe
628	lolMiner.exe
1600	lolMiner.exe

VMProtect packed file 49 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/1252-63-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/820-71-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/1392-79-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/1600-87-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/932-95-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/1196-103-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/1716-111-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/1820-119-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/1740-127-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/1592-136-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
behavioral1/memory/1592-135-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/1768-144-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/820-152-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/2020-160-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/1732-168-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
behavioral1/memory/1732-172-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/1060-181-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/864-189-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/1948-201-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/748-210-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/1788-219-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/1768-228-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/628-234-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral1/memory/1600-242-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1304 cmd.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

NVIDIAContainer.exe

description ioc process

File opened for modification \??\PhysicalDrive0 NVIDIAContainer.exe

pid	process
1304	cmd.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	NVIDIAContainer.exe

Drops file in System32 directory 28 IoCs

Processes:

lolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exetmp.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153218.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153347.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153209.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153342.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153148.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153153.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153223.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153253.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153311.txt	lolMiner.exe
File created	C:\Windows\SysWOW64\ETH\lolMiner.exe	tmp.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153336.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153353.txt	lolMiner.exe
File created	C:\Windows\SysWOW64\ETH\start.bat	tmp.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153258.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153303.txt	lolMiner.exe
File created	C:\Windows\SysWOW64\ETH\NVIDIAContainer.exe	tmp.exe
File opened for modification	C:\Windows\SysWOW64\ETH\NVIDIAContainer.exe	tmp.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153139.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153245.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153323.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\lolMiner.exe	tmp.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153158.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153233.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153333.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\start.bat	tmp.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153228.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153328.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_153356.txt	lolMiner.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs

Processes:

lolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exe

pid	process
1252	lolMiner.exe
820	lolMiner.exe
1392	lolMiner.exe
1600	lolMiner.exe
932	lolMiner.exe
1196	lolMiner.exe
1716	lolMiner.exe
1820	lolMiner.exe
1740	lolMiner.exe
1592	lolMiner.exe
1768	lolMiner.exe
820	lolMiner.exe
2020	lolMiner.exe
1732	lolMiner.exe
1060	lolMiner.exe
864	lolMiner.exe
1948	lolMiner.exe
748	lolMiner.exe
1788	lolMiner.exe
1768	lolMiner.exe
628	lolMiner.exe
1600	lolMiner.exe

Drops file in Windows directory 1 IoCs

Processes:

NVIDIAContainer.exe

description ioc process

File created C:\Windows\CyGqhxLZ.dat NVIDIAContainer.exe

description	ioc	process
File created	C:\Windows\CyGqhxLZ.dat	NVIDIAContainer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	lolMiner.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NVIDIAContainer.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exe

pid	process
860	NVIDIAContainer.exe
1252	lolMiner.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
820	lolMiner.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
1392	lolMiner.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
1600	lolMiner.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

tmp.exeNVIDIAContainer.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exe

pid	process
1872	tmp.exe
1872	tmp.exe
860	NVIDIAContainer.exe
860	NVIDIAContainer.exe
1252	lolMiner.exe
1252	lolMiner.exe
1252	lolMiner.exe
1252	lolMiner.exe
1252	lolMiner.exe
820	lolMiner.exe
820	lolMiner.exe
820	lolMiner.exe
820	lolMiner.exe
820	lolMiner.exe
1392	lolMiner.exe
1392	lolMiner.exe
1392	lolMiner.exe
1392	lolMiner.exe
1392	lolMiner.exe
1600	lolMiner.exe
1600	lolMiner.exe
1600	lolMiner.exe
1600	lolMiner.exe
1600	lolMiner.exe
932	lolMiner.exe
932	lolMiner.exe
932	lolMiner.exe
932	lolMiner.exe
932	lolMiner.exe
1196	lolMiner.exe
1196	lolMiner.exe
1196	lolMiner.exe
1196	lolMiner.exe
1196	lolMiner.exe
1716	lolMiner.exe
1716	lolMiner.exe
1716	lolMiner.exe
1716	lolMiner.exe
1716	lolMiner.exe
1820	lolMiner.exe
1820	lolMiner.exe
1820	lolMiner.exe
1820	lolMiner.exe
1820	lolMiner.exe
1740	lolMiner.exe
1740	lolMiner.exe
1740	lolMiner.exe
1740	lolMiner.exe
1740	lolMiner.exe
1592	lolMiner.exe
1592	lolMiner.exe
1592	lolMiner.exe
1592	lolMiner.exe
1592	lolMiner.exe
1768	lolMiner.exe
1768	lolMiner.exe
1768	lolMiner.exe
1768	lolMiner.exe
1768	lolMiner.exe
820	lolMiner.exe
820	lolMiner.exe
820	lolMiner.exe
820	lolMiner.exe
820	lolMiner.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NVIDIAContainer.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 860 wrote to memory of 1304	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1304	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1304	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1304	860	NVIDIAContainer.exe	cmd.exe
PID 1304 wrote to memory of 1252	1304	cmd.exe	lolMiner.exe
PID 1304 wrote to memory of 1252	1304	cmd.exe	lolMiner.exe
PID 1304 wrote to memory of 1252	1304	cmd.exe	lolMiner.exe
PID 1304 wrote to memory of 1252	1304	cmd.exe	lolMiner.exe
PID 860 wrote to memory of 1160	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1160	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1160	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1160	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1912	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1912	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1912	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1912	860	NVIDIAContainer.exe	cmd.exe
PID 1912 wrote to memory of 820	1912	cmd.exe	lolMiner.exe
PID 1912 wrote to memory of 820	1912	cmd.exe	lolMiner.exe
PID 1912 wrote to memory of 820	1912	cmd.exe	lolMiner.exe
PID 1912 wrote to memory of 820	1912	cmd.exe	lolMiner.exe
PID 860 wrote to memory of 1384	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1384	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1384	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1384	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1636	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1636	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1636	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1636	860	NVIDIAContainer.exe	cmd.exe
PID 1636 wrote to memory of 1392	1636	cmd.exe	lolMiner.exe
PID 1636 wrote to memory of 1392	1636	cmd.exe	lolMiner.exe
PID 1636 wrote to memory of 1392	1636	cmd.exe	lolMiner.exe
PID 1636 wrote to memory of 1392	1636	cmd.exe	lolMiner.exe
PID 860 wrote to memory of 1052	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1052	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1052	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1052	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1624	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1624	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1624	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1624	860	NVIDIAContainer.exe	cmd.exe
PID 1624 wrote to memory of 1600	1624	cmd.exe	lolMiner.exe
PID 1624 wrote to memory of 1600	1624	cmd.exe	lolMiner.exe
PID 1624 wrote to memory of 1600	1624	cmd.exe	lolMiner.exe
PID 1624 wrote to memory of 1600	1624	cmd.exe	lolMiner.exe
PID 860 wrote to memory of 1864	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1864	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1864	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1864	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1032	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1032	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1032	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1032	860	NVIDIAContainer.exe	cmd.exe
PID 1032 wrote to memory of 932	1032	cmd.exe	lolMiner.exe
PID 1032 wrote to memory of 932	1032	cmd.exe	lolMiner.exe
PID 1032 wrote to memory of 932	1032	cmd.exe	lolMiner.exe
PID 1032 wrote to memory of 932	1032	cmd.exe	lolMiner.exe
PID 860 wrote to memory of 432	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 432	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 432	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 432	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1720	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1720	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1720	860	NVIDIAContainer.exe	cmd.exe
PID 860 wrote to memory of 1720	860	NVIDIAContainer.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1872

C:\Windows\SysWOW64\ETH\NVIDIAContainer.exe
C:\Windows\SysWOW64\ETH\NVIDIAContainer.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1252

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:820

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1392

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:932

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1720

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1148

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1664

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:536

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:808

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1356

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1236

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1648

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:820

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:332

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:284

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1136

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1872

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1776

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1104

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1048

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:864

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1480

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1740

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1724

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:1788

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:2016

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:664

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1616

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Auvqqrrf -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:1600

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ETH\NVIDIAContainer.exe
Filesize
1016KB

MD5
b5919fb4fafe2d54aef9d68480ad322b

SHA1
9228753ed61d9afe3a7d15662540908ce96cfec6

SHA256
f674c40c9df93477bf152947aa81f05bc56c58c6e8d7e9a06fad328bfce3c05a

SHA512
7e20cfbaceba8f88bf1634ffe80b50851ec0bbf6fc9ba7fa8997e40f9d562e8844407a9241744bafe860dc2333ef124ac35b887a9593660378ab866c02c7715e

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\start.bat
Filesize
115B

MD5
db9fbef22c4464bd2aa196aba270c6f6

SHA1
25ad95243a82337e6e7a52e0f0061825bb439987

SHA256
8fe911cb621a0e61dfc40a85c34039bd399aed5feec42d05549f6a3bd742f7e5

SHA512
28bf39b8db64cbe3da59dd0955336fa7b4fc60d3065c2205e0f90d0bee9927e5cf06a4922015261c28dbce81fbecba37ca78b27cf3ab331b7f11ab3a0190b596

Download Submit
\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
memory/284-164-0x0000000000000000-mapping.dmp

Download
memory/332-157-0x0000000000000000-mapping.dmp

Download
memory/432-99-0x0000000000000000-mapping.dmp

Download
memory/536-124-0x0000000000000000-mapping.dmp

Download
memory/628-234-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/664-230-0x0000000000000000-mapping.dmp

Download
memory/748-210-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/748-204-0x0000000000000000-mapping.dmp

Download
memory/760-193-0x0000000000000000-mapping.dmp

Download
memory/808-131-0x0000000000000000-mapping.dmp

Download
memory/820-152-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/820-71-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/820-69-0x0000000000000000-mapping.dmp

Download
memory/820-150-0x0000000000000000-mapping.dmp

Download
memory/864-187-0x0000000000000000-mapping.dmp

Download
memory/864-189-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/932-95-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/932-93-0x0000000000000000-mapping.dmp

Download
memory/956-177-0x0000000000000000-mapping.dmp

Download
memory/1032-92-0x0000000000000000-mapping.dmp

Download
memory/1048-186-0x0000000000000000-mapping.dmp

Download
memory/1052-83-0x0000000000000000-mapping.dmp

Download
memory/1060-179-0x0000000000000000-mapping.dmp

Download
memory/1060-181-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1104-178-0x0000000000000000-mapping.dmp

Download
memory/1136-165-0x0000000000000000-mapping.dmp

Download
memory/1148-108-0x0000000000000000-mapping.dmp

Download
memory/1156-107-0x0000000000000000-mapping.dmp

Download
memory/1160-67-0x0000000000000000-mapping.dmp

Download
memory/1196-103-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1196-101-0x0000000000000000-mapping.dmp

Download
memory/1236-141-0x0000000000000000-mapping.dmp

Download
memory/1252-63-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1252-60-0x0000000000000000-mapping.dmp

Download
memory/1284-140-0x0000000000000000-mapping.dmp

Download
memory/1296-123-0x0000000000000000-mapping.dmp

Download
memory/1304-58-0x0000000000000000-mapping.dmp

Download
memory/1304-220-0x0000000000000000-mapping.dmp

Download
memory/1356-132-0x0000000000000000-mapping.dmp

Download
memory/1384-75-0x0000000000000000-mapping.dmp

Download
memory/1392-77-0x0000000000000000-mapping.dmp

Download
memory/1392-79-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1480-194-0x0000000000000000-mapping.dmp

Download
memory/1520-202-0x0000000000000000-mapping.dmp

Download
memory/1592-135-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1592-133-0x0000000000000000-mapping.dmp

Download
memory/1592-136-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1600-242-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1600-85-0x0000000000000000-mapping.dmp

Download
memory/1600-87-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1624-84-0x0000000000000000-mapping.dmp

Download
memory/1628-156-0x0000000000000000-mapping.dmp

Download
memory/1636-76-0x0000000000000000-mapping.dmp

Download
memory/1648-149-0x0000000000000000-mapping.dmp

Download
memory/1664-116-0x0000000000000000-mapping.dmp

Download
memory/1716-109-0x0000000000000000-mapping.dmp

Download
memory/1716-111-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1720-100-0x0000000000000000-mapping.dmp

Download
memory/1724-212-0x0000000000000000-mapping.dmp

Download
memory/1732-166-0x0000000000000000-mapping.dmp

Download
memory/1732-168-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1732-172-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1740-125-0x0000000000000000-mapping.dmp

Download
memory/1740-127-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1740-203-0x0000000000000000-mapping.dmp

Download
memory/1764-148-0x0000000000000000-mapping.dmp

Download
memory/1768-222-0x0000000000000000-mapping.dmp

Download
memory/1768-142-0x0000000000000000-mapping.dmp

Download
memory/1768-228-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1768-144-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1776-175-0x0000000000000000-mapping.dmp

Download
memory/1788-219-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1788-213-0x0000000000000000-mapping.dmp

Download
memory/1804-185-0x0000000000000000-mapping.dmp

Download
memory/1808-173-0x0000000000000000-mapping.dmp

Download
memory/1820-119-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1820-117-0x0000000000000000-mapping.dmp

Download
memory/1856-115-0x0000000000000000-mapping.dmp

Download
memory/1864-91-0x0000000000000000-mapping.dmp

Download
memory/1872-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1872-174-0x0000000000000000-mapping.dmp

Download
memory/1912-68-0x0000000000000000-mapping.dmp

Download
memory/1948-195-0x0000000000000000-mapping.dmp

Download
memory/1948-201-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1964-229-0x0000000000000000-mapping.dmp

Download
memory/1984-211-0x0000000000000000-mapping.dmp

Download
memory/2016-221-0x0000000000000000-mapping.dmp

Download
memory/2020-158-0x0000000000000000-mapping.dmp

Download
memory/2020-160-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads